Levity aside: When the news hit early September that credit reporting company Equifax failed to announce a breach of the credit and financial information from May to July of this year, angry consumers and politicians denounced the company.

Equifax knew of the hack since late July, yet waited until September 7 to reveal the breach, potentially affecting more than half the U.S. adult population, 143 million. On October 2, Equifax indicated another 2.5 million might be affected. Consumers are at risk for identity theft, as social security, drivers license and credit account numbers, passwords, income, addresses, birthdates, and other identifying information could be readily available and on the black market (lately called deep web or dark market) for sale to thieves worldwide. Oh, and on September 21, we learned the hackers got payroll and W-2 information, too.

Execs under scrutiny - and out the door

On the front page of the Wall Street Journal September 22, the article “Hack Upends Equifax CEO” reports Richard Smith told an audience in August that data fraud is a “huge opportunity for the credit reporting company, to sell consumers more services. Smith’s comments were recorded on video at a University of Georgia’s Terry College of Business breakfast meeting. After much criticism and calls for investigation, Smith resigned effective September 26 and testified before the Senate Banking Committee. Watch excerpts from the testimony here and the full hearing here. The Wall Street Journal has this: "Senators Rip Credit Reporting Model in Wake of Equifax Breach."

“The trades avoided the price plummet that followed the credit bureau’s public disclosure of one of the largest data breaches in U.S. history” according the Journal.

What happened?

There have been many errors on my credit report over the years, so my confidence in the reporting agencies was pretty low to begin with. Starting with trying to correct errors that somehow ended up on my report- I’ve never lived in Massachusetts, nor had a T-Mobile cell phone.

Add to that the research and programming on consumer credit/consumer protection topics we’ve conducted and covered on ALJ over the years and I just knew we were in for more trouble than the news of the breach initially indicated.

The breach has shaken the trust of the public and lenders in the ability of one of the country’s largest credit-reporting companies to safely store and manage consumers’ data” Two Top Equifax Executives to Retire, WSJ, Sat/Sun September 16/17, 2017.

Equifax, Inc. announced they noticed “suspicious network traffic” on July 29. A first attempt at a fix was met with more “suspicious traffic” the next day.

The credit reporting agency blamed the breach on the Apache Struts software that created the vulnerability hackers used to access the data. Equifax says a “patch” was applied but security experts say the update was performed late, incorrectly or wasn’t enough. Read more on the aptly-titled WIRED magazine article "Equifax Officially Has No Excuse."

The hits just keep on comin’

Consumers were told by the company to go to data breach information website www.equifaxsecurity2017.com and enter their last name and Social Security numbers, the last few. There you could see if you were potentially exposed, though data safety experts claim even that website was vulnerable and possibly hacked. In yet another forehead-smacking instance, Equifax was directing consumers to a fake site, here in 3 separate tweets as seen on NPR.org September 21.

The Federal Trade Commission, Federal Bureau of Investigation, Consumer Finance Protection Bureau and Congress are investigating the breach; the Department of Justice and Security and Exchange Commission (SEC) are scrutinizing the alleged insider trading among other wrongdoing.

What types of legal action are underway?

Now that the forced arbitration clause is removed from the optional enrollment in Equifax “Trusted ID Premier,” consumers are not blocked from taking seeking legal remedy. There are currently two potential avenues:

- How the FCRA applies to data hacks, and - Whether consumers who don’t suffer financial repercussions have standing to sue.

One law firm says the Equifax hack could end up being the largest class action in history, possibly as much as $70 billion.

But what "piece of that pie" would go to consumers? Administering class action lawsuits are costly for law firms up front, but can bring them significant revenue if, and only if, they are successful. So those who begrudge them their fees, know that it's a risk they take and a great amount of work.

That being said, it's not reassuring to read the article "Legal Experts See Room for Deal in Equifax Data Breach Lawsuits" in Insurance Journal. Those quoted in the article say Equifax may end up spending an average of $1 per person for credit monitoring and out of pocket expenses for the 143 million consumers whose data was exposed. That's a far cry from the federal law that "carries damages of as much as $1,000 per violation, plus punitive damages." Many consumers are already out of pocket themselves for credit freezes and signing up for monitoring from other companies (though buyer beware, at least one monitoring service from a well-known company uses data from ... wait for it ... Equifax).

Federal & State actions

Federal lawsuits and complaints by state attorney generals, filed on behalf of consumers, are underway; New York, Pennsylvania and Connecticut have filed and more will likely file in the days and weeks to come.

Update: The Wall Street Journal (sub.req.) in "States Quiz Equifax on Disclosure" reports October 30 that there are attorneys general in at least five states pursuing action: Illinois, Connecticut, Indiana, Massachusetts, and New Hampshire. Forty-eight states, reports the article, have "laws requiring notification" of consumer breaches, usually within 45 days.

What chance do consumers (and the government) have to successfully sue Equifax?

At this time, the lawsuits are relying on the FCRA. But according to the ABA, one previous data breach case against credit reporting agency Experian using the law was thrown out by a federal judge, other claims are pending.

The legal questions as summarized by the ABA are:- How does the FCRA apply to data hacks?- Do consumers who don’t have their identity stolen (yet) or suffer financial repercussions have standing to sue?

The hurdle for plaintiffs, in most cases, is the requirement that there must be a concrete injury that can be redressed. “But more courts are warming to the idea that even the threat of identity theft—and the aggravation, distress and cost of containing the risk—can cause harm” that gives plaintiffs standing to sue, the article says. A data breach case currently in litigation article involves a health care insurance company; this litigation may end up at the Supreme Court.

What’s happened in Congress since the breach was announced?

Members of Congress were quick to issue sharply worded statements condemning not only the breach but the actions - and inactions - of Equifax.

- Rep. Ted Lieu (D-Ca.) told the Washington Post that he is drafting two bills: one creating minimum data security standards for the credit reporting agencies and the other to bar companies forcing victims into arbitration instead of other legal remedy (think class action).

- Senator Mark Warner (D-Va.) also in the Washington Post says he’s working on a data breach notification bill, requiring companies of all kinds to notify customers with breached information within a narrow timeline.

- The House Financial Services committee is investigating the August 21 “options trading” by the three Equifax Execs.

- The Senate Banking Committee hearing is October 4, former CEO Richard Smith will likely testify despite his resignation on September 26.

There’s something new every day, though there are indications this may be influenced by party politics. Watch the news from all perspectives to learn more.

If you need a little perspective from the Senate Banking hearing with former CEO Smith, check this out:

Holding Equifax accountable

Monopoly Man's not the consumer's champion here, but maybe our legal system will be. While the DOJ and SEC investigate the insider trading, legal minds are discussing how to best hold Equifax accountable.

“Imagine a chemical company accidentally disperses toxic gas over a neighborhood. Instead of telling residents right away, the company waits six weeks, breaking the news only after putting up a crisis-management website. Rather than directly informing everyone affected, the company tells citizens to enter their address online to see if they were in the exposure area.

The company offers a year of health monitoring to those who register within a narrow time window, but has no plan to compensate those whose monitoring reveals bad news. Those who don’t sign up for monitoring on time are on their own.

Now imagine that there is a government official, a judge, who is supposed to help hold the chemical company accountable — and has all of the tools to do so — but this official waits for a different government official, a regulator, to take the lead. Because there are no laws about this exact kind of gas leak, the judge decides that the chemical company doesn’t owe anybody anything.”

D’Onfro concedes that having your financial data comprised may seem less threatening than exposure to toxic gas. But, she says, this breach could cause substantial harm impacting consumers’ lives every day. Buying a house or taking out a home equity or other loan to pay college tuition could be delayed or denied, all due to identity thieves racking up enormous amounts of debt. It could take years for consumers to get their identity back.

More than 50 years ago, D’Onfro points out, the legal system developed the doctrine of “strict products liability,” derived from the tenets of common law. In the evolving economy, it was more difficult to pinpoint if a product, distributor, wholesaler or manufacturer was negligent in a way that caused physical or financial injury.

It was judges who applied the doctrine, by then codified into law, that said in cases where “manufacturers, distributors and sellers are liable for any injury their products cause, regardless of how well-designed the product is or who is ultimately responsible for the harm.”